Private Anonymous Electronic Messaging

ABSTRACT

Private anonymous electronic messaging between a message originator and a message recipient within an organization encourages open communication which can provide information to the organization that might otherwise be secreted from the organization, and can allow the message originator to obtain desired help (e.g., counseling). By profiling of the message originator based on current and previous electronic messaging within the system as well as external organizational information (e.g., behavioral or financial information), the system can assess concerns yet act as a gateway to protect the message originator&#39;s true identity through escalating levels of concern unless a genuine concern about the health, well-being, and/or safety of the message originator, others, or the organization is indicated, in which case the system can reveal the true identity of the message originator as appropriate.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to electronic messaging systems,and in particular, anonymous electronic messaging systems.

2. Description of the Prior Art

In today's digital world, communications are often accomplished throughelectronic means such as email, messaging, webpages, etc., rather thanthrough traditional face-to-face or telephonic exchanges. The ease andconvenience of communicating electronically has dramatically changedcommunications within an organization—be it educational, business,and/or military organizations, or other endeavors.

One drawback of modern electronic communications is that the messageoriginator (i.e., the individual sending the message) within anorganization's electronic email or messaging system is identifiable tothe message recipient (i.e., the individual receiving the message)through a message header (e.g., from Bob.Smith@bigcorp.com) or throughthe internet protocol node address from which the message was sent. Thistransparency can have a negative impact on the message sender (e.g., astudent or employee) who may fear repercussions, reprisal, or publicdisclosure if he uses the traceable electronic communication to bring aconcern to the attention of the organization (e.g., by emailing anorganizational authority figure such as a school principal or a boss).

Some electronic communication systems do allow a contributor toparticipate in conversations anonymously—that is, without revealing themessage originator. For example, a user of an Internet forum system canshield his identity by registering for the forum under an unverifiedalias (e.g., by using a created user name (e.g., joker@aol.com) thatdoesn't reveal who the contributor is) or by posting messagesanonymously in the forum as a guest. As another example, an email usercan shield his identity by using an anonymous remailer which receives anemail with embedded instructions on where to forward the email and thenforwards the email without revealing the original address from which theemail was sent, or substitutes a fake source address for the originalsource address associated with the email. Alternatively, an email usercan use pseudonymous remailer software that assigns each user apseudonym and maintains a database of instructions detailing how toreturn emails to the original email address or reply to the email—eventhough the identity of the message originator using that email addressmay not be known.

The anonymity offered by both online forum messaging andanonymously/pseudonymously remailed messaging, however, is nearabsolute—the identity shield cannot be easily pierced regardless of theneed. Thus, the identity of the anonymous or pseudonymous userthreatening harm to himself, others, and/or an organization remainshidden and/or unverifiable—at least during any reasonable timeframeduring which his plans could be intercepted. This inability to verifythe identity of a message originator poses a problem for some types oforganizations (e.g., educational, business, and/or militaryorganizations) that typically need to be able to rely on verifiablecommunications with known individuals, and makes anonymous electroniccommunication systems less desirable.

These same types of organizations (e.g., educational, business, and/ormilitary organizations), however, could benefit from electroniccommunications systems that offer message originators the assurance ofanonymity while giving the organization the ability to deal with realproblems. For example, a high school could benefit from a system thatallows students to anonymously approach counselors for advice on aconcern (e.g., teenage sex or alcoholism) or to anonymously reportincidents such as inappropriate teacher behavior without fear ofreprisal or public disclosure. When the concern triggering thecommunication (e.g., child abuse) is serious enough, however, amechanism to discover the verified identity of the message originatorwould be desirable so that the child could receive medical treatment,counseling, or other assistance and the allegation could beinvestigated.

SUMMARY

In one embodiment is provided a method for electronic messaging betweena message originator of an organization and a message recipient of thesame organization comprising: authenticating by a disinterestedthird-party computing system the message originator based on a knowntrue identity; generating by the computing system based on communicationwith a device of the message originator an electronic message about atopic; updating by the computing system a profile of the messageoriginator based on the electronic message; generating by the computingsystem an alert based on the updated profile or the electronic message;and sending by the computing system the electronic message and the alertto a device of the message recipient without revealing the known trueidentity of the message originator unless the alert exceeds a predefinedthreshold that triggers revealing the known true identity of the messageoriginator or if the message recipient is authorized by the organizationto receive the known true identity.

In another embodiment is provided a method for electronic messagingbetween a message originator of an organization and a message recipientof the same organization comprising: authenticating by a disinterestedthird-party computing system the message originator based on a knowntrue identity; generating by the computing system based on communicationwith a device of the message originator an electronic message about atopic; updating by the computing system a profile of the messageoriginator based on the electronic message; sending the electronicmessage to a device of the message recipient without revealing the trueidentity of the message originator; receiving a request from the deviceof the message recipient to reveal the true identity of the messageoriginator; and sending by the computing system some or all of theupdated profile of the message originator to the device of the messagerecipient without revealing the true identity of the message originatorunless the message recipient is authorized by the organization toreceive the known true identity.

In yet another embodiment is provided a non-transitory computer readablemedium having stored thereupon computing instructions comprising: a codesegment to authenticate by a disinterested third-party computing systema message originator of an organization based on a known true identity;a code segment to generate by the computing system based oncommunication with a device of the message originator an electronicmessage about a topic; a code segment to update by the computing systema profile of the message originator based on the electronic message; acode segment to generate by the computing system an alert based on theupdated profile or the electronic message; and a code segment to send bythe computing system the electronic message and the alert to a device ofa message recipient of the same organization without revealing the knowntrue identity of the message originator unless the alert exceeds apredefined threshold that triggers revealing the known true identity ofthe message originator or if the message recipient is authorized by theorganization to receive the known true identity.

In still another embodiment is provided a non-transitory computerreadable medium having stored thereupon computing instructionscomprising: a code segment to authenticate by a disinterestedthird-party computing system a message originator of an organizationbased on a known true identity; a code segment to generate by thecomputing system based on communication with a device of the messageoriginator an electronic message about a topic; a code segment to updateby the computing system a profile of the message originator based on theelectronic message; a code segment to send the electronic message to adevice of a message recipient of the same organization without revealingthe true identity of the message originator; a code segment to receive arequest from the device of the message recipient to reveal the trueidentity of the message originator; and a code segment to send by thecomputing system some or all of the updated profile of the messageoriginator to the device of the message recipient without revealing thetrue identity of the message originator unless the message recipient isauthorized by the organization to receive the known true identity.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of a system for private anonymous electronicmessaging according to one embodiment.

FIG. 2 is an exemplary process flowchart of a method for privateanonymous electronic messaging according to one embodiment.

FIG. 3 is a block diagram illustrating possible messagerecipient-triggered actions in the method for private anonymouselectronic messaging according to one embodiment.

DETAILED DESCRIPTION OF THE INVENTION

Described herein are various embodiments of a method and system wherebyan individual (e.g., student) within an organization (e.g., school) caninitiate and maintain an anonymous electronic dialogue about a concern(e.g., sexual harassment) with a representative of the organization(e.g., a teacher), while at the same time the organization has theability to identify and deal appropriately with concerns that may arisewith respect to the health, well-being, and/or safety of theorganization and/or its members. The anonymity of the individual duringthe electronic dialogue is realized by using a disinterested third-partycomputing system to manage the electronic communications from and to theindividual without revealing the true identity of the individual to therepresentative with whom the individual is communicating. The trueidentity is a verified name, identification number (e.g., studentidentification number, military identification number, or employeeidentification number), or other similar unique identifier (e.g., socialsecurity number, driver's license number, digital identity,fingerprints, etc.) that the organization has correlated to a knownactual individual—that is, the true identity is not just an alias,moniker, or self-selected user identification.

Allowing the individual to remain anonymous during the electronicdialogue encourages an open and honest communication (between thatindividual and the representative of the organization) which can bebeneficial to both the individual and the organization. For example, astudent can anonymously discuss concerns about being sexually harassedby someone at the school without having to worry about retaliation orpublic disclosure of the situation and in return receive advice,counseling, and/or information about his legal options from therepresentative who does not know the identity of the student. At thesame time, the school can learn about potentially criminal behaviorwhich might otherwise have gone undetected and institute investigativeand/or remedial actions.

The anonymity of the individual is not, however, absolute. Instead, thedisinterested third-party computing system acts as a gateway to maintainthis confidentiality of the individual's true identity until/unlessdisclosure of his true identity is necessary to deal with a concernaffecting the individual, others, or the organization. The determinationof whether a concern necessitates disclosure of the individual's trueidentity can be based on a profile of the individual created by thedisinterested third-party computing system and/or on an assessment bythe representative of the organization who received the communication.The disinterested third-party computing system profiles the individualbased on objective data extracted from and/or subjective metricsgenerated from current and historical electronic messages from and tothe individual, as well as, in some cases, other organizational data(e.g., student attendance record).

Once a concern is identified, the disinterested third-party computingsystem can activate an alert. Depending on the severity of the activatedalert, the disinterested third-party computing system can respond in anumber of ways including, without limitation, (1) sending the activatedalert to the representative of the organization and/or to another party(e.g., an organizational authority figure such as a school principaland/or a third-party responder such as the police or fire department);(2) providing the profile of the individual to the representative of theorganization and/or to another party (e.g., an organizational authorityfigure such as a school principal and/or a third-party responder such asthe police or fire department); and/or (3) disclosing the true identityof the individual to the representative of the organization and/or toanother party (e.g., an organizational authority figure such as a schoolprincipal and/or a third-party responder such as the police or firedepartment).

This private anonymous electronic messaging system differs in someimportant respects from both online forums and email systems. In theprivate anonymous electronic messaging system embodied as describedherein, despite maintaining anonymity for communications, the trueidentity of the individual initiating the electronic dialogue isdeterminable by the system and/or the organization. Thus, the trueidentity of the message originator can be revealed—almost immediately ifnecessary (as, for example, if the message originator poses a risk tohimself, others, or the organization). As discussed above, neitheronline forums nor email systems are designed to ensure user anonymitywhile maintaining the ability to verify the true identity of a user.Furthermore, embodiments of the private anonymous electronic messagingsystem and method described herein utilize profiling of a messageoriginator to evaluate any potential risk to the message originator,others, or the organization.

Referring now to FIG. 1, an exemplary block diagram of one embodiment ofthe system for private anonymous electronic messaging is shown. As shownin the figure, a computing system 102 (preferably a computer server) iscoupled through a communications network 110 to a message originatordevice 101 operated by a message originator, a recipient device 104operated by a message recipient, an authority figure device 105 operatedby the organizational authority figure, and a third-party device 106operated by the third-party responder.

Computing system 102 is preferably a computing system of a disinterestedthird-party, i.e., not related to (e.g., not a parent or subsidiarycompany of), affiliated with (e.g., not a business partner), or in thepossession or control of the organization. Alternatively, in oneembodiment, computing system 102 can be related to, affiliated with,and/or in the possession or control of the organization. For example,computing system 102 can be in the possession or control of a schoolboard for a district in which a high-school is the organization to whichthe message originator, the message recipient, and the organizationalauthority figure belong.

Computing system 102 communicates through network 110 with messageoriginator device 101, recipient device 104, authority figure device105, and third-party device 106 to coordinate private anonymouselectronic messaging among individuals and/or entities associated withthe organization (e.g., one or more message originator, one or moremessage recipient, one or more organizational authority figure and oneor more third-party responder) as described in greater detail herein.

The message originator is the individual (e.g., student) who usesmessage originator device 101 to communicate through communicationsnetwork 110 with computing system 102 to generate and send an electronicmessage about a concern to the message recipient (i.e., therepresentative of the organization, e.g., teacher) operating recipientdevice 104.

The organizational authority figure is an administrator or otherauthority figure for the organization to which the message originatorand message recipient belong. For example, in an educational context,the message originator can be a student, the message recipient can be ateacher, and the organizational authority figure can be the principal ofthe school. Or, as an example in the military context, the messageoriginator can be an enlisted troop, the message recipient can be anofficer, and the organizational authority figure can be a basecommander. The third-party responder can be an emergency ornon-emergency service provider (e.g., doctor, police, fire department,crisis hotline, or Planned Parenthood).

One of skill in the art will recognize that message originator device101, recipient device 104, authority figure device 105, and third-partyresponder device 106 can each be the same or different type of device,and each can be a personal computer, a laptop, or anycommunications-enabled mobile device with a user interface such as aphone, a smartphone, a personal digital assistant (PDA), a media device(e.g., the iPod or iPod Touch from Apple, Inc.), an electronic tablet(e.g., an iPad from Apple, Inc.), or an electronic reader device (e.g.,a Kindle or Kindle DX from Amazon.com, Inc. of Seattle, Wash., or TheReader from SONY Electronics Inc.). One of skill in the art will furtherunderstand that message originator device 101, recipient device 104,authority figure device 105, and/or third-party responder device 106 caneach, in various embodiments, run a standalone application tocommunicate across network 110 with computing system 102 in aclient-server model. This is typically performed by the device operatoroperating an application such as a web browser running on the device.

Computing system 102 is also coupled to data store 103 either directlyor through network 110. Computing system 102 communicates with datastore 103 to store and retrieve data about the message originator, aswell as data about messages to, from, and about the message originator,in order to create, update, and access a profile of the messageoriginator. The profile for the message originator is a collection ofdata associated with the message originator comprising objective datafrom current and/or past electronic messages from and to the messageoriginator, subjective assessments about the message originator, and/ordescriptive, predictive, and/or summary metrics about the messageoriginator as discussed further herein. Computing system 102 can alsoincorporate external content (e.g., grades or other performanceindications, attendance records, financial data, behavioral informationfrom staff and/or security personnel, etc.), preferably obtained fromthe organization, into the profile for the message originator.

One of skill in the art will recognize that computing networks 110between computing system 102 and various devices and/or betweencomputing system 102 and data store 103 can be the same or differentknown forms of network communication. One of ordinary skill in the artwill understand that each network connection can be, without limitation,an integrated services digital network (ISDN), a broadband ISDN(B-ISDN), a digital subscriber line (ADSL, ADSL+2), a symmetric digitalsubscriber line (SDSL), a very high speed DSL (VDSL), cable, cellulartelephone, wireless, a broadband Internet connection, a T-1 line, abonded T-1 line, a T-3 line, an optical carrier level 3 (OC3), asatellite, or any other form of network connection now known or laterdeveloped. One of ordinary skill in the art will further understand thatnetwork 110 can be a combination of wired and/or wireless networks, awide area network (WAN), a local area network (LAN), a global areanetwork (GAN), a virtual private network (VPN), a personal area network(PAN), an enterprise private network, or any similar network now knownor later developed.

In various embodiments, the organization provides to computing system102 the true identity in the form of names of organization members forthe private electronic messaging system. Alternatively, the organizationcan provide to computing system 102 the true identity in the form ofunique identifiers for members of the organization, which uniqueidentifiers (e.g., student/employee numbers) can be correlated by theorganization to the respective true identity of its members. In thisembodiment, the organization itself can maintain a master list of thetrue identity of the potential message originator assigned to eachunique identifier, so personally identifiable information (e.g., fullname, social security number, driver's license number, digital identity,fingerprints, etc.) for the potential message originators remains withthe organization rather than being shared with computing system 102. Inother embodiments, computing system 102 can maintain the master list ofthe true identity of the individual assigned to each unique identifier.In one embodiment, a system-generated unique temporary authenticationtoken is provided to the organization member (after s/he has beenassigned a unique identifier) to allow him/her to access the system inorder to activate an account.

In one embodiment, an organization member can activate an account withinthe private messaging system by providing his system-generated uniquetemporary authentication token to enter the system process of selectinga user name and password. In another embodiment, an organization membercan activate an account within the private messaging system by providinghis name or unique identifier to enter the system process of selecting auser name and password. This process is the same as in other knownmessaging systems except that either computing system 102 or theorganization knows the true identity of the organization memberproviding the selected user name and password.

Once an account is activated, a student may want to send a messageanonymously (thus becoming the message originator) to a teacher (whothus becomes the message recipient) about a concern (i.e., topic). Aprocess flow of the method by which the student can do so via privateanonymous electronic messaging according to one embodiment is presentedin FIG. 2. In step 201, computing system 102 authenticates the messageoriginator (communicating via message originator device 101 withcomputing system 102 through network 110), preferably through a userlogin with the user name and password. This authentication processpermits computing system 102 to verify that the user is an accountholder whose true identity is known.

In step 202, computing system 102 communicates with the messageoriginator to generate a private anonymous electronic message to be sentto one or more message recipient. The electronic message from a messageoriginator consists of one or more identified message recipient(selected by the message originator or by computing system 102), one ormore topic, and the message content. Computing system 102 receivesmessage content for the electronic message from the message originatorwho enters message content into the system through message originatordevice 101, typically through textual input through some type ofkeyboard or spoken message content translated into text.

The message originator can choose one or more predefined message topic(e.g., sexual harassment, depression, threat to personal safety, threatto the organization, etc.) preferably from a drop-down list presentedthrough a user interface.

The message originator can also select one or more message recipient forthe generated electronic message and/or computing system 102 can directthe electronic message to one or more organization-designated messagerecipient based on the message topic and/or profiling (as discussedfurther herein). The message recipient can be a supervisory-levelindividual within the organization (e.g., a teacher or counselor), anorganizational authority figure (e.g., a principal), or an individual orentity outside the organization (e.g., a third-party counselor such asPlanned Parenthood, a crisis hotline, the police, or the firedepartment), or any similar individual designated by the organization toreceive the anonymous electronic communications and identified as suchto computing system 102.

As an example, if a student (the message originator) wants to send anelectronic message to teacher A (the message recipient) and selects thetopic “child abuse”, then computing system 102 can send the electronicmessage with a topic line of “child abuse” to a device of the messagerecipient (teacher A). Selection of certain topics (e.g., “child abuse”)by the message originator can, furthermore, initiate automatic actionsby computing system 102. In the child abuse example given above,selection of such a topic can result in computing system 102 alsocopying the message to a second message recipient (e.g., a counselordesignated by the organization to deal with child abuse issues), anorganizational authority figure (e.g., school principal) and/or athird-party responder (e.g., police or school board) as appropriate.Such automatic actions initiated by computing system 102 need not bevisible to the message originator, but can allow informing appropriateindividuals of a situation.

The electronic message about the selected topic from the messageoriginator to the message recipient initiates a topic-specific dialogue.That electronic message and further electronic messages within the samemessage chain about the selected topic between the message originatorand the message recipient (e.g., replies, forwards, etc.) are maintainedtogether as a conversational message thread using known message threadtechniques. Thus, the message threads isolate messaging exchanges to andfrom a given message originator on a specific topic.

Because known messaging techniques create and maintain permanentmessages, the electronic messages, once sent, are immutable. As such,the message threads can be useful if the authenticity of the messagecontent is ever questioned (e.g., if the message is introduced asevidence in subsequent legal proceedings).

In various embodiments, the message originator can choose to remaincompletely anonymous to the message recipient (i.e., no “sender” isindicated on the electronic message), or to be identified within theelectronic message by his self-selected user name.

With continuing reference to FIG. 2, once the electronic message hasbeen generated (step 202), then, in step 203, computing system 102optionally updates the profile and analyzes the generated electronicmessage and/or updated profile of the message originator. Analysis ofthe electronic message can involve parsing of information from theelectronic message, and can incorporate information retrieved from theupdated profile of the message originator. Statistical techniques canalso be applied to profile data to generate additional profile metrics.In one embodiment, profile data from multiple message originators can becompiled and analyzed statistically to yield metrics to be applied tothe message originator's profile to allow determinations about alertparameters.

Computing system 102 updates the message originator's profile by (i)extracting data from the electronic message generated in step 202 andadding the extracted data to the profile; (ii) generating one or moresubjective assessment about the message originator based on theextracted data and adding the subjective assessment(s) to the profile;and/or (iii) applying known statistical algorithms to the extracteddata, the subjective assessment(s), and/or the profile of the messageoriginator to generate descriptive, predictive, and/or summary metricsabout the message originator and adding the metrics to the profile.Extracted information can include objective information such as, withoutlimitation, electronic message topic(s), time and date of the electronicmessage, the message recipient(s), thread topic(s), and/or the degree orseverity of any perceived concern within the electronic message.Subjective assessments based on the extracted data can include, withoutlimitation, a credibility rating for the message originator, a moodindicator, and/or a risk assessment. These subjective assessments are,in one embodiment, compiled from feedback options provided to messagerecipients and/or from other data gathered about message originatorsfrom the organization. For example, an organizational authority figurecould flag a message originator as being a known alarmist. Computingsystem 102 would apply that metric to the message originator's profilewithout the organization having knowledge of who that message originatoris (e.g., whether the message originator is Billy Smith or Tom Jones).The subjective assessment data can be pre-loaded into computing system102 with other data about a message originator (e.g., grade level,gender, and/or risk factor).

Statistical metrics can include, without limitation, basic demographicdata (e.g., age, gender, pay grade, military ranking, grade pointaverage, and/or other known demographic data), a count of the number ofelectronic message topics, the number of electronic messages within agiven time period, the number of message threads per topic,sub-classifications of topics (e.g., depression can be sub-classified aschronic, seasonal, manic, or postpartum), rankings of the messageoriginator on psychological scales (e.g., personality scales, moodscales) relative to normative standards and/or relative to other messageoriginators, and/or behavioral predictions. The profile can be updatedwith the extracted data, subjective assessments, and/or statisticalmetrics in real-time as the data are extracted, assessed, and/oranalyzed, or at regular scheduled intervals.

In step 204, computing system 102 determines (based on the analysis ofthe generated electronic message and/or profile in step 203) whether themessage and/or updated profile should activate an alert. An alertindicates a concern about the health and/or safety of the messageoriginator, to the safety/integrity of the organization, and/or to thehealth, safety, and/or behavior of another individual within theorganization. The alert can range along a scale from a low-levelcautionary or advisory alert (e.g., the generated electronic message mayindicate that the message originator is depressed) to a high-levelimmediate concern alert (e.g., an immediate threat exists to the messageoriginator, the organization, and/or another individual within theorganization). In one embodiment, alert levels are a graduated scalewith numbers, colors, or descriptions indicating relative severity. Forexample, on a 1 to 5 scale, the alerts can be

-   -   1—informational alert (e.g., “User John Doe sent a message with        a topic of ‘depression’”);    -   2—warning alert (e.g., “User John Doe sent a new message with a        topic of “depression” and key word analysis of the message        indicates a need for expedient follow-up”);    -   3—elevated warning alert (e.g., “User John Doe sent a new        message with a topic of “depression” and key word analysis of        the message and sender profile analysis indicate elevated cause        for concern. See attached report for assessment details.”); and    -   4—high priority alert (e.g., “User John Doe sent a new message        with a topic of “depression” and key word analysis of the        message and sender profile analysis indicate serious cause for        concern. Immediate action is required. See attached report for        assessment and additional alert details.”); and    -   5—critical alert (e.g., “User John Doe sent a new message with a        topic of “depression” and key word analysis of the message and        sender profile analysis indicate imminent threat. Immediate        action is required. Local resources have also been contacted.        See attached report for assessment and additional alert details        as well as detailed crisis management plan.”).

In one embodiment, predefined thresholds must be met to activate thealert and/or escalate the alert to a higher level alert. The predefinedthresholds are, in one embodiment, a weighted numeric scoring systembased on descriptive, predictive, and/or summary metrics. In otherembodiments, the predefined threshold is determined in a manner similarto that used in self-assessment tests wherein a series of independentresponses are combined to determine an overall assessment (although eachcontributing response can contribute a larger or smaller amount to theoverall assessment depending on its relative importance). For example, akey word analysis of a message which contains the word “suicide” wouldadd more to the aggregate escalation score than 5 messages that eachcontained the word “sad”.

If, in step 204, the message and/or profile indicate that an alert is tobe activated, computing system 102 can, in step 205, activate the alertor escalate the level of a previously activated alert, by adding analert to the generated message (and updating the profile to reflect thisalert). A range of alerts can be predetermined by the organization andassociated with predefined actions to be performed by computing system102. Because the alert can range along a scale from a low-levelcautionary or advisory alert (which may not require immediate action,e.g., the alert can indicate that the message originator is depressed)to a high-level immediate concern alert (which can necessitate animmediate action, e.g., the alert can indicate a bomb threat), multiplelevels of alert escalation are possible.

The alert can include information about why the alert is necessary(e.g., “bomb threat” or “student depressed”). The alert can be conveyedto the message recipient, the organizational authority figure, and/orthe third-party as information with the message thread or can even besent as a new message through the system. In other embodiments, thealert can be distributed by other means such as email, SMS text,system-generated phone calls, and/or an emergency notification system.

Depending on the type or severity of the alert, activation of the alertcan trigger automatic actions by computing system 102, including, forexample, (i) sending/forwarding the electronic message and the alert tothe message recipient, the organizational authority figure, and/or thethird-party responder (as discussed further herein with respect to steps206, 207, and 208); (ii) forwarding the message and/or the alertsystem-wide to the organization members (as, for example, if a schoolneeds to be evacuated); and/or (iii) revealing the true identity of themessage originator (if the system has the true identity of the messageoriginator) or the unique identifier for the message originator (if thesystem has the unique identifier rather than the true identity of themessage originator) to the message recipient, the organizationalauthority figure, and/or the third-party responder.

In step 206, computing system 102 sends the generated electronic messageand the associated alert (separately or together) to the messagerecipient(s). If the alert is a low-level cautionary alert such that noimmediate concern exists (e.g., the profile or message content suggestthat the message originator is depressed), computing system 102 can sendthe electronic message and the associated alert to the messagerecipient(s) as a warning to review the electronic communication forindications that the message originator may be depressed enough towarrant intervention. In various embodiments, computing system 102 canalso send the profile of the message originator (in whole or in part),either with the associated alert and/or the electronic message or as aseparate communication.

In step 207, computing system 102 sends the electronic message and theassociated alert (separately or together) to one or more organizationalauthority figure—instead of, or in addition to sending the electronicmessage and alert to the message recipient(s). For example, if the alertis a mid-level warning alert (e.g., no immediate concern exists, but apotential problem such as a walkout may be developing), computing system102 can send the electronic message and associated alert to anorganizational authority figure such as the manufacturing plantmanager—instead of, or in addition to sending the electronic message andassociated alert to the message recipient. In other embodiments,computing system 102 can also send the profile of the message originator(in whole or in part) to the organizational authority figure—eitherwith, or separate from, the electronic message and/or the associatedalert.

In step 208, computing system 102 sends the electronic message and theassociated alert to a third-party responder—instead of, or in additionto sending the electronic message and associated alert (separately ortogether) to the message recipient(s) and/or the organization authorityfigure(s). For example, if the alert is a high-level, immediate concern(e.g., “bomb in building 3”), computing system 102 can send theelectronic message and associated alert to one or more third-partyresponder such as the police department, the fire department, and/or thebomb disposal unit—instead of, or in addition to sending the electronicmessage and associated alert to the message recipient(s) and/or theorganizational authority figure(s). Computing system 102 can also sendthe profile of the message originator (in whole or in part) to the thirdparty responder—either with, or separate from, the electronic messageand/or the associated alert.

Returning to step 204, if the decision is that an alert is not to beactivated, then, in step 206, the electronic message is sent to themessage recipient without an alert.

After sending the generated electronic message to the messagerecipient(s), computing system 102 can (but need not) receive one ormore type of request from the message recipient. Referring now to FIG.3, block diagram 300 shows possible message recipient-triggered actionsin one embodiment of the method for private anonymous electronicmessaging.

In block 301, computing system 102 receives from the message recipient arequest to reveal the true identity of the message originator. Such arequest might be received if the message recipient were concerned (e.g.,triggered by something written in the electronic message) about themessage originator, as for example, if the message originator seemsseriously depressed and in need of immediate intervention. In responseto the request, computing system 102 can send the profile of the messageoriginator (in whole or in part) to the message recipient (block 302)and/or, if the message recipient is preauthorized by the organization toreceive true identify information, computing system 102 can send thetrue identity of the message originator to the message recipient (block303). If the true identity of the message originator is to be revealed,but computing system 102 has only the unique identifier for that messageoriginator, computing system 102 sends the unique identifier for thatmessage originator to the organizational authority figure authorized toreveal true identities. The organizational authority can, in turn,search the master list of correlated organization member identities andunique identifiers to learn the true identity of the message originatorassociated with that unique identifier, and provide that information tothe message recipient. Alternatively, computing system 102 can send theprofile of the message originator (in whole or in part) to the messagerecipient after receiving a request from the message recipient for theprofile of the message originator.

In block 304, computing system 102 receives from the message recipient arequest to generate a reply to the received electronic message.Computing system 102 can then communicate with the message recipient togenerate and send the reply to the message originator (block 305). Inone embodiment, the reply can be attached to the chain of electronicmessages within the message thread. Alternatively, the reply can be sentalone. A message thread can be built and maintained between the messageoriginator and the message recipient by looping the steps of FIG. 2(steps 201 through 206) with generation and sending of the reply (blocks304 and 305). It is explicitly contemplated that in some circumstances,a message recipient can originate (rather than reply to) an electronicmessage to the message originator. For example, a teacher oradministrator (usually the message recipient) may stop receivingelectronic messages from a message originator who was profiled asdepressed. Rather than ignore a concern about the safety of that messageoriginator, the message recipient teacher or administrator can (insteadof requesting that the true identity of the message originator berevealed) request that computing system 102 generate and send a newmessage to the message originator to probe his current state. In variousembodiments, this “new” message can, or cannot, be associated with theoriginal message thread.

In block 306, computing system 102 receives a request from the messagerecipient to update the profile of the message originator with anassessment by the message recipient of the message originator or of themessage content. Computing system 102 can then update the profile withthe assessment (block 307). For example, the message recipient mayrequest that the profile be updated with an assessment that the messageoriginator is depressed, or that the message in the context of themessage thread indicates that some behavior of the message originator isescalating.

In block 308, computing system 102 receives a request from the messagerecipient to forward the electronic message to another message recipient(e.g., a school counselor) or to an organizational authority figure.Computing system 102 can then communicate with the message recipient toforward the electronic message to another message recipient or to theorganizational authority figure (block 309).

In block 310, computing system 102 receives a request from the messagerecipient for activation of an alert. In response, computing system 102can add the alert to the electronic message as discussed herein (step205 of FIG. 2) and update the profile of the message originator with theassociated alert. Computing system 102 can then perform steps 207,and/or 208 as discussed herein with respect to FIG. 2.

In some embodiments, organization member can optionally provideadditional contact information (e.g., a cell phone number or emailaddress) that can be associated with the account so that electronicmessages and/or can be transmitted via a short message service (SMS)text message.

One of skill in the art will understand that the private anonymouselectronic messaging of the embodiments described herein can also beconducted in the context of email messaging through known emailfunctions such as forwarding messages to additional message recipients,blind carbon copying (bcc'ing) additional message recipients, ororganizational authority figures, replying to message originators whilecarbon copying (cc'ing) additional message recipients, etc.

The disclosed method and apparatus has been explained herein withreference to several embodiments. Other embodiments will be apparent tothose skilled in the art in light of this disclosure. Certain aspects ofthe described method and apparatus may readily be implemented usingconfigurations other than those described in the embodiments herein, orin conjunction with elements other than those described herein. Forexample, the private anonymous electronic messaging is discussed hereinin detail in the context of forum messaging, but can also be implementedin the context of email or text messaging.

Further, it should also be appreciated that the described method andapparatus can be implemented in numerous ways, including as a process,an apparatus, or a system. The methods described herein may beimplemented by program instructions for instructing a processor toperform such methods, and such instructions recorded on a computerreadable storage medium such as a hard disk drive, floppy disk, opticaldisc such as a compact disc (CD) or digital versatile disc (DVD), flashmemory, etc., or a computer network wherein the program instructions aresent over optical or electronic message links. It should be noted thatthe order of the steps of the methods described herein may be alteredand still be within the scope of the disclosure.

It is to be understood that the examples given are for illustrativepurposes only and may be extended to other implementations andembodiments with different conventions and techniques. While a number ofembodiments are described, there is no intent to limit the disclosure tothe embodiment(s) disclosed herein. On the contrary, the intent is tocover all alternatives, modifications, and equivalents apparent to thosefamiliar with the art. For example, although examples herein describeanonymous electronic messaging in an educational environment (e.g.,between students and teachers or administrators), other embodiments inother organizational environments (e.g., military, workplace) areexpressly contemplated. As an example, in a military environment, anenlisted troop can use the disclosed anonymous electronic messagingmethods and systems to, e.g., report hazing by other troops, or abusesanctioned by an officer. Likewise, in a business environment, aclerical worker can use the disclosed anonymous electronic messagingmethods and systems to, e.g., discuss concerns about sexual harassmentfrom a boss.

In the foregoing specification, the invention is described withreference to specific embodiments thereof, but those skilled in the artwill recognize that the invention is not limited thereto. Variousfeatures and aspects of the herein-described invention may be usedindividually or jointly. Further, the invention can be utilized in anynumber of environments and applications beyond those described hereinwithout departing from the broader spirit and scope of thespecification. The specification and drawings are, accordingly, to beregarded as illustrative rather than restrictive. It will be recognizedthat the terms “comprising,” “including,” and “having,” as used herein,are specifically intended to be read as open-ended terms of art.

What is claimed is:
 1. A method for electronic messaging between a message originator of an organization and a message recipient of the same organization comprising: authenticating by a disinterested third-party computing system the message originator based on a known true identity; generating by the computing system based on communication with a device of the message originator an electronic message about a topic; updating by the computing system a profile of the message originator based on the electronic message; generating by the computing system an alert based on the updated profile or the electronic message; and sending by the computing system the electronic message and the alert to a device of the message recipient without revealing the known true identity of the message originator unless the alert exceeds a predefined threshold that triggers revealing the known true identity of the message originator or if the message recipient is authorized by the organization to receive the known true identity.
 2. The method of claim 1 further comprising sending by the computing system some or all of the updated profile to the device of the message recipient without revealing the known true identity of the message organization unless the alert exceeds a predefined threshold that triggers revealing the known true identity of the message originator or if the message recipient is authorized by the organization to receive the known true identity.
 3. The method of claim 2 wherein the electronic message, the alert, and the updated profile are sent in a single communication.
 4. The method of claim 2 wherein the electronic message, the alert, and the updated profile are not sent in a single communication.
 5. The method of claim 1 wherein the known true identity is the name of the message originator or an organizational identification number unique to the message originator.
 6. The method of claim 1 wherein the message originator selects the topic from a predefined list of topics.
 7. The method of claim 1 further comprising sending by the computing system the electronic message and the alert to a device of an organizational authority figure.
 8. The method of claim 1 further comprising sending by the computing system some or all of the updated profile, the known true identity of the message originator, or the updated profile and the known true identity of the message originator to a device of an organizational authority figure.
 9. The method of claim 1 further comprising sending by the computing device the electronic message and the alert to a device of a third-party responder.
 10. The method of claim 1 further comprising sending by the computing system some or all of the updated profile, the known true identity of the message originator, or the updated profile and the known true identity of the message originator to a device of a third-party responder.
 11. A method for electronic messaging between a message originator of an organization and a message recipient of the same organization comprising: authenticating by a disinterested third-party computing system the message originator based on a known true identity; generating by the computing system based on communication with a device of the message originator an electronic message about a topic; updating by the computing system a profile of the message originator based on the electronic message; sending the electronic message to a device of the message recipient without revealing the true identity of the message originator; receiving a request from the device of the message recipient to reveal the true identity of the message originator; and sending by the computing system some or all of the updated profile of the message originator to the device of the message recipient without revealing the true identity of the message originator unless the message recipient is authorized by the organization to receive the known true identity.
 12. The method of claim 11 wherein the known true identity is the name of the message originator or an organizkional identification number unique to the message originator.
 13. The method of claim 11 wherein the message originator selects the topic from a predefined list of topics.
 14. The method of claim 11 further receiving a request from the device of the message recipient to activate an alert and generating the alert.
 15. The message of claim 14 further comprising sending by the computing system the known true identity of the message originator to the device of the message recipient if the alert exceeds a predefined threshold triggering disclosure of the true identity of the message originator.
 16. The method of claim 14 further comprising sending by the computing system the electronic message, the alert, or the electronic message and the alert to a device of an organizational figure or a third-party responder.
 17. The method of claim 16 further comprising sending by the computing system some or all of the updated profile, the known true identity of the message originator, or some or all of the updated profile and the known true identity of the message originator to the device of the organizational authority figure or the third-party responder.
 18. A non-transitory computer readable medium having stored thereupon computing instructions comprising: a code segment to authenticate by a disinterested third-party computing system a message originator of an organization based on a known true identity; a code segment to generate by the computing system based on communication with a device of the message originator an electronic message about a topic; a code segment to update by the computing system a profile of the message originator based on the electronic message; a code segment to generate by the computing system an alert based on the updated profile or the electronic message; and a code segment to send by the computing system the electronic message and the alert to a device of a message recipient of the same organization without revealing the known true identity of the message originator unless the alert exceeds a predefined threshold that triggers revealing the known true identity of the message originator or if the message recipient is authorized by the organization to receive the known true identity.
 19. A non-transitory computer readable medium having stored thereupon computing instructions comprising: a code segment to authenticate by a disinterested third-party computing system a message originator of an organization based on a known true identity; a code segment to generate by the computing system based on communication with a device of the message originator an electronic message about a topic; a code segment to update by the computing system a profile of the message originator based on the electronic message; a code segment to send the electronic message to a device of a message recipient of the same organization without revealing the true identity of the message originator; a code segment to receive a request from the device of the message recipient to reveal the true identity of the message originator; and a code segment to send by the computing system some or all of the updated profile of the message originator to the device of the message recipient without revealing the true identity of the message originator unless the message recipient is authorized by the organization to receive the known true identity. 